Cryptology ePrint Archive: Report 2021/079

A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM

Kalle Ngo and Elena Dubrova and Qian Guo and Thomas Johansson

Abstract: In this paper, we present the first side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 16 traces by deep learning-based power analysis without explicitly extracting the random mask at each execution. Since the presented method is not dependent on the mask, we can improve success probability by combining score vectors of multiple traces captured for the same ciphertext. This is an important advantage over previous attacks on LWE/LWR-based KEMs, which must rely on a single trace. Another advantage is that the presented method does not require a profiling device with deactivated countermeasure, or known secret key. Thus, if a device under attack is accessible, it can be used for profiling. This typically maximizes the classification accuracy of deep learning models. In addition, we discovered a leakage point in the primitive for masked logical shifting on arithmetic shares which has not been known before. We also present a new approach for secret key recovery, using maps from error-correcting codes. This approach can compensate for some errors in the recovered message.

Category / Keywords: public-key cryptography / post-quantum cryptography, Saber KEM, side-channel attack, power analysis

Date: received 22 Jan 2021

Contact author: dubrova at kth se

Available format(s): PDF | BibTeX Citation

Version: 20210122:203549 (All versions of this report)

Short URL: ia.cr/2021/079


[ Cryptology ePrint archive ]